Reputation: 13
Disable shell access in docker-image
I'm new to using Docker and need to use a lean OpenJDK 17 base-image to create an image of a Java web application and disable the ability of a user to log into a running container.
I've tried to use amazoncoretto 17 alpine image which purportedly has shell access disabled.
FROM amazoncorretto:17-alpine3.15
ENTRYPOINT ["java","-jar","/myapp.jar"]
But still you can log in to a container created off of this image, using docker exec -it my-container sh, which I need to prevent.
What is the best way of accomplishing this? Thanks in advance.
Upvotes: 1
Views: 3924
Answers (1)
Reputation:
Simplest way would be to remove the sh symlink from the container, with RUN rm /bin/sh.
Alpine uses links to busybox for these functionalities, which can be deleted to remove the functionality
# ls -l /bin/sh
lrwxrwxrwx 1 root root 12 Aug 9 08:47 /bin/sh -> /bin/busybox
Any other non required functionality can be disabled same way.
Busybox doc
BusyBox is a multi-call binary that combines many common Unix utilities into a single executable. Most people will create a link to busybox for each function they wish to use and BusyBox will act like whatever it was invoked as.
Upvotes: 1
Related Questions
- How do you shell into an Alpine/git container?
- Docker: How to use bash with an Alpine based docker image?
- Bash on alpine linux
- How do I prevent root access to my docker container
- Customize shell startup in Linux Alpine docker container
- How do you block console, root or other users, access to a docker container?
- Starting a shell in the Docker Alpine container
- access to docker shell inside one of containers
- Disable certain Docker run options
- docker ubuntu container: shell linked to bash still starts shell